Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 866713 (CVE-2022-38128, CVE-2022-38533) - sys-devel/binutils: heap buffer overflow
Summary: sys-devel/binutils: heap buffer overflow
Alias: CVE-2022-38128, CVE-2022-38533
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [upstream/ebuild]
Depends on:
Reported: 2022-08-26 15:46 UTC by John Helmert III
Modified: 2022-11-06 22:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 15:46:13 UTC

In GNU Binutils before 2.4.0, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.

It obviously means 2.40.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 00:05:30 UTC
CVE-2022-38128 (

An infinite loop may be triggered in display_debug_abbrev() function in binutils/dwarf.c while opening a crafted ELF, which may lead to denial of service by a local attacker.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2022-11-06 22:24:20 UTC
Fixed for 2.40, backport nontrivial